Legido Wiki

User Tools

Site Tools

Trace: visc_a_barcelona
informatica:linux:traefik

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
informatica:linux:traefik [2022/06/03 18:24] – created javiinformatica:linux:traefik [2022/06/03 18:32] (current) javi
Line 5: Line 5:
 1. Get public IP address of server 1. Get public IP address of server
  
 +<code>
 curl ifconfig.me curl ifconfig.me
-37.15.254.41+8.8.8.
 +</code>
  
 2. Setup a DNS entry that points to that server 2. Setup a DNS entry that points to that server
Line 12: Line 14:
 2.1. Check DNS name 2.1. Check DNS name
  
 +<code>
 dig @8.8.8.8 test.javilegido.com +short dig @8.8.8.8 test.javilegido.com +short
-37.15.254.41+8.8.8.
 +</code>
  
 3. Make sure ports TCP 80 and 443 are open 3. Make sure ports TCP 80 and 443 are open
  
-WARNING: if behind LAN router remember to setup NAT+**WARNING**: if behind LAN router remember to setup NAT
  
 4. Generate certificate 4. Generate certificate
  
 +<code>
 mkdir etc_letsencrypt mkdir etc_letsencrypt
 docker run -it \ docker run -it \
Line 28: Line 33:
   -p 80:80 \   -p 80:80 \
   certbot/certbot certonly   certbot/certbot certonly
 +</code>
  
 +<code>
 1 1
-javi@legido.com+javi@example.com
 Y Y
 N N
 test.javilegido.com test.javilegido.com
 +</code>
  
-```+<code>
 Requesting a certificate for test.javilegido.com Requesting a certificate for test.javilegido.com
 Successfully received certificate. Successfully received certificate.
Line 51: Line 59:
  * Donating to EFF:                    https://eff.org/donate-le  * Donating to EFF:                    https://eff.org/donate-le
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-```+</code>
  
 5. 5.
  
 +<code>
 tree tree
 +</code>
  
 +<code>
 etc_letsencrypt/ etc_letsencrypt/
 ├── accounts ├── accounts
Line 91: Line 102:
  
  certbot  certbot
 +</code>
  
 +<code>
 fullchain.pem => certificate fullchain.pem => certificate
 privkey.pem => key privkey.pem => key
 chain.pem => CA public certificate chain.pem => CA public certificate
 +</code>
  
  acme.json  acme.json
  
 +<code>
     "Certificates": [     "Certificates": [
       {       {
Line 107: Line 122:
         "Store": "default"         "Store": "default"
       },       },
 +</code>
  
 6. Deploy traefik with one example 6. Deploy traefik with one example
Line 114: Line 130:
 6.1.  6.1. 
  
 +<code>
 vim docker-compose.yml vim docker-compose.yml
 +</code>
  
 Adjust: Adjust:
  
 +<code>
 --certificatesresolvers.myresolver.acme.email --certificatesresolvers.myresolver.acme.email
 traefik.http.routers.whoami.rule traefik.http.routers.whoami.rule
 +</code>
  
-NOTE: the challenge is listening in port 8080, so don't change it+**NOTE**: the challenge is listening in port 8080, so don't change it
  
-```+<code>
 version: "3.3" version: "3.3"
  
Line 139: Line 159:
       - "--certificatesresolvers.myresolver.acme.tlschallenge=true"       - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
       #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"       #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
-      - "--certificatesresolvers.myresolver.acme.email=javi@legido.com"+      - "--certificatesresolvers.myresolver.acme.email=javi@example.com"
       - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"       - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
     ports:     ports:
Line 156: Line 176:
       - "traefik.http.routers.whoami.entrypoints=websecure"       - "traefik.http.routers.whoami.entrypoints=websecure"
       - "traefik.http.routers.whoami.tls.certresolver=myresolver"       - "traefik.http.routers.whoami.tls.certresolver=myresolver"
-```+</code>
  
 6.2. Start  6.2. Start 
  
 +<code>
 docker-compose up -d docker-compose up -d
 +</code>
  
 +<code>
 docker logs -f traefik docker logs -f traefik
 +</code>
  
-```+<code>
 ... ...
 time="2022-06-03T18:15:00Z" level=debug msg="Certificates obtained for domains [test.javilegido.com]" providerName=myresolver.acme routerName=whoami@docker rule="Host(`test.javilegido.com`)" ACME CA="https://acme-v02.api.letsencrypt.org/directory" time="2022-06-03T18:15:00Z" level=debug msg="Certificates obtained for domains [test.javilegido.com]" providerName=myresolver.acme routerName=whoami@docker rule="Host(`test.javilegido.com`)" ACME CA="https://acme-v02.api.letsencrypt.org/directory"
 time="2022-06-03T18:15:00Z" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=myresolver.acme time="2022-06-03T18:15:00Z" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=myresolver.acme
 ... ...
-```+</code>
  
 6.3. 6.3.
Line 175: Line 199:
 (From another host) (From another host)
  
 +<code>
 wget https://test.javilegido.com wget https://test.javilegido.com
 +</code>
  
 6.4. Stop 6.4. Stop
  
-docker-compose down +<code> 
 +sudo docker-compose down  
 +</code>
  
 6.5. Backup 6.5. Backup
  
 +<code>
 sudo cp letsencrypt/acme.json ./acme.json.bak sudo cp letsencrypt/acme.json ./acme.json.bak
 +</code>
  
 7. Replace certs 7. Replace certs
Line 189: Line 219:
 7.1. Transform certbot certificates in strings 7.1. Transform certbot certificates in strings
  
 +<code>
 sudo chown -R `whoami`:`whoami` etc_letsencrypt* sudo chown -R `whoami`:`whoami` etc_letsencrypt*
 +</code>
  
 +<code>
 _IN=etc_letsencrypt/live/test.javilegido.com/fullchain.pem _IN=etc_letsencrypt/live/test.javilegido.com/fullchain.pem
 _OUT=traefik_certificate _OUT=traefik_certificate
 cat $_IN | base64 | tr '\n' ' ' | sed --expression='s/\ //g' > $_OUT cat $_IN | base64 | tr '\n' ' ' | sed --expression='s/\ //g' > $_OUT
 +</code>
  
 +<code>
 _IN=etc_letsencrypt/live/test.javilegido.com/privkey.pem _IN=etc_letsencrypt/live/test.javilegido.com/privkey.pem
 _OUT=traefik_key _OUT=traefik_key
 cat $_IN | base64 | tr '\n' ' ' | sed --expression='s/\ //g' > $_OUT cat $_IN | base64 | tr '\n' ' ' | sed --expression='s/\ //g' > $_OUT
 +</code>
  
 7.2. Edit: 7.2. Edit:
  
 +<code>
 sudo vim letsencrypt/acme.json  sudo vim letsencrypt/acme.json 
 +</code>
  
 And replace: And replace:
  
 +<code>
 certificate: Content of file 'traefik_certificate' certificate: Content of file 'traefik_certificate'
 key: Content of file 'traefik_key' key: Content of file 'traefik_key'
 +</code>
  
-WARNING: both files content differ, "letsencrypt/acme.json" and "acme.json.bak"+**WARNING**: both files content differ, "letsencrypt/acme.json" and "acme.json.bak"
  
 8. Test 8. Test
Line 214: Line 254:
 8.1. Take MD5 of acme.json 8.1. Take MD5 of acme.json
  
 +<code>
 sudo md5sum letsencrypt/acme.json  sudo md5sum letsencrypt/acme.json 
 +</code>
  
 +<code>
 ec151c804d1776d898b62b1b30691aeb  letsencrypt/acme.json ec151c804d1776d898b62b1b30691aeb  letsencrypt/acme.json
 +</code>
  
 8.2. Make file "acme.json" readonly 8.2. Make file "acme.json" readonly
  
 +<code>
 vim docker-compose.yml vim docker-compose.yml
 +</code>
  
 And leave change only below line: And leave change only below line:
  
 +<code>
       #- "./letsencrypt:/letsencrypt"       #- "./letsencrypt:/letsencrypt"
       - "./letsencrypt:/letsencrypt:ro"       - "./letsencrypt:/letsencrypt:ro"
 +</code>
  
 8.3. Recreate 8.3. Recreate
  
 +<code>
 sudo docker-compose up -d --force-recreate sudo docker-compose up -d --force-recreate
 +</code>
  
 8.4. Check MD5 of the file: 8.4. Check MD5 of the file:
  
 +<code>
 sudo md5sum letsencrypt/acme.json sudo md5sum letsencrypt/acme.json
 +</code>
  
 +<code>
 ec151c804d1776d898b62b1b30691aeb  letsencrypt/acme.json ec151c804d1776d898b62b1b30691aeb  letsencrypt/acme.json
 +</code>
  
 Should be the same than step 8.1. Should be the same than step 8.1.
Line 241: Line 295:
 8.5. Test 8.5. Test
  
 +<code>
 wget https://test.javilegido.com wget https://test.javilegido.com
 +</code>
informatica/linux/traefik.1654280669.txt.gz · Last modified: 2022/06/03 18:24 by javi